You may already know that Azure AD is using advanced technologies to protect your credentials, especially your password. It even detects if the password you are trying to use (when you have to change it due to expiration) has been used too much or has been compromised (or banned).

This is a huge security feature but until now this was only available if you use Azure AD for authentication. Starting today (in preview), you can now use these capabilities with your on-premises Active Directory with a component called Azure AD password protection for Windows Server Active Directory.

Requirements

First things first, here are the requirements to get it working with your on-premises environment:

Deployment

AzureADPasswordProtectionDCAgent.msi: to be deployed on domain controllers

AzureADPasswordProtectionProxy.msi: is managing the communication between your AD DS domain controllers and Azure AD to deliver the service.It is recommended to deployed it on at least 2 servers as usual for fault tolerance

Deploy the proxy agent

Deploy the agent proxy (AzureADPasswordProtectionProxy.msi) on at least 2 servers and register it

NOTE you can deploy it silently as there is no installation options required(msiexec.exe /i AzureADPasswordProtectionProxy.msi /quiet /qn or with SCCM) and then once ready execute the registration steps

Register and configure the proxy agent

Open a PowerShell prompt using the run as administrator and execute the following command

NOTE if you had a PowerShell prompt already opened, you will need to open a new one

You can check the registration has been successfully completed (unless you got an error message) by accessing the Windows Event log for the AzureADPasswordProtection (available below the following path Applications and Services Logs\Microsoft\AzureADPasswordProtection\Operational) log and look for the events:

3000 which logs the registration start

3001 which logs the successful registration

Then you can register your AD DS forest using the command

NOTE you just need to run this AD DS forest registration step only once. If you deploy multiple proxy agent, there is no need to run again this co
mmand

You can check the registration has been successfully completed (unless you got an error message) by accessing the Windows Event log for the AzureADPasswordProtection (available below the following path Applications and Services Logs\Microsoft\AzureADPasswordProtection\Operational) log and look for the events:

3003 which logs the registration start

3004 which logs the successful registration

A new service container is being created in your AD DS forest. This container is used to register all agent (DC or proxy) and the certificates used to authenticate against Azure AD

Deploy the DC agent

NOTE it is important to note that a server restart is required after installing the DC agent

Execute the AzureADPasswordProtectionDCAgent.msi and restart the domain controller

You can check the registration has been successfully completed (after the server restart) by accessing the Windows Event log for the AzureADPasswordProtection (available below the following path Applications and Services Logs\Microsoft\AzureADPasswordProtection\DCAgent\Operational) log and look for the events:

1000 which logs the DLL load

2001 which logs the successful start of the Azure AD Password Protection service

This is it, once you have deployed at least one proxy and one DC agent, you are now able to use Azure AD Password Protection.